You can view the history of all actions associated with a Finding from the Findings list or the Findings Investigation page.

NOTE: Once a Finding is dismissed, history will no longer be recorded, although it still can be viewed. If a new Finding is raised for the same indicator, a new history for the Finding will be created.

To view a Finding's history from the Findings list:

  1. Select the Finding whose history you want to view.

  2. Click the View History button.

    NOTE: If more than one Finding in the list is selected, the button will be disabled.

To view a Finding's history from the Findings Investigation page:

Click the View History button.

For each action associated with the Finding (listed from newest to oldest), the following information displays:

  • Date

    NOTE: This field displays the signed-in user's local date and time.

  • Action

  • Source

  • Actor

For a Tier Zero [object] indicator, the history will include:

  • when the object was detected and whether the source was the provider (Security Guardian or BloodHound Enterprise) or Manually added.

  • when the Finding was created by Security Guardian.

For a Hygiene, Detected TTP, or Detected Anomaly Indicator the history will include:

  • when a Hygiene, Detected TTP, or Detected Anomaly object was detected and whether the source was Assessments or On Demand Audit.
  • when the Finding was created by Security Guardian.
  • when any objects within the Finding were muted/unmuted.
  • for an unprotected Active Directory Tier Zero object Finding, when the object was protected (if applicable).